Security Metrics to Drive Change

What’s the point, really? You've dedicated terabytes of storage to capture insane volumes of log data, but for what? Yes, you can distill the highlights which make you look good and drop them in your reports. Be warned that those types of vanity metrics don’t provide any real value. Use the right security metrics in the right way, and you can clearly illustrate the issues.

And that's how you drive change for your organization.

Security metrics give you the tools to change user behavior and to build a case for the kind of changes you want to make to the organization's security posture. Use metrics to illustrate how a given behavior or security control is working (or not, as the case may be) and justify how or why it should be changed.

It’s often particularly hard to get budget allocated for security in the first place or justify continued investment in security. The problem is that security doesn’t typically generate income—it’s just a “necessary evil”—and the better job you do at protecting your network and data the less obvious it is that security is necessary at all. If there’s never any malware outbreak or data breach it’s easy for management to become complacent and wonder why the company is spending so much money on security.

When I was at EDS working as a consultant managing security at General Motors we used to show the IT managers at GM stories about its competitors being breached or compromised in order to demonstrate and stress that the reason it was a rival company in the news instead of them is because of the investment being made in security. We had to have some way to justify the money they were paying us. A security incident might validate the need for security but get you fired at the same time for failing to prevent it.

What would have worked better would have been gathering the appropriate security metrics to demonstrate the value we were bringing to the table. Security metrics are an ideal way to build a business case for security tools and policies. You just have to make sure you’re capturing the right data to make the point you’re trying to make.

How many security incidents impact your organization on an annual or monthly basis? What is the mean time to recovery—how long does it take on average to resolve a security incident and resume normal business operations? What is the financial impact to the organization of the lost productivity associated with security incidents?

Gathering data like this and presenting it in a clear manner to upper management is an extremely effective and convincing way to justify a request to hire an additional full-time employee. If you can provide real-world data of the impact security incidents have on the organization—particularly on the bottom line—and demonstrate how the additional employee can reduce the number of security incidents and shorten the mean time to recovery it’s virtually a slam dunk business case.

Security is an imperative for organizations, but in the end it has to follow the same basic rules for business. Budget dollars are in high demand from every department in most companies and you have to be able to demonstrate the value you propose. Put security metrics to work for you to identify the areas where you’re weak and build a strong business case that drives change.